[Pkg-utopia-maintainers] Bug#448539: avahi-daemon: user owns files, but is removed, and doesn't remove those files

[Justin Pryzby]

Package: avahi-daemon

For isolation, daemons runs as separate users.  In Debian most of
these users are created dynamically at postinstall time.  I think it's
agreed that users shouldn't be removed at postremove time since it's
possible that some files were created by the daemon.  If the daemon
user is removed, a later user might be created with the same UID
(possibly by another package's postinstall script) and it might lead
to the other daemon having access to some files to which it shouldn't.
In any case, files that might be created by a daemon package and owned
by the dedicated isolation user should be removed if the user is going
to be removed, or otherwise chowned to some safe permissions.

drwxr-xr-x 2 116 haclient 4096 2007-08-18 13:59 /var/run/avahi-daemon

--- avahi-0.6.21.orig/debian/avahi-daemon-check-dns.sh
[...]
+RUNDIR="/var/run/avahi-daemon/"
[...]
+ensure_rundir() {
+  if [ ! -d ${RUNDIR} ] ; then
+    mkdir -m 0755 -p ${RUNDIR}
+    chown avahi:avahi ${RUNDIR}
+  fi
+}
[...]
+  ensure_rundir

I think for this package, the postinst should do 
getent || adduser

without the --no-create-home option.  Then, instead of this runtime
check in a shellscript, do (also in the postinst):

dpkg-statoverride /var/run/avahi-daemon >/dev/null || {
	chmod 00755 "$RUNDIR"
	chown avahi:avahi "$RUNDIR"
}

Actually you might even include the directory in the package rather
than creating it at install-time.  I'm not sure.  dpkg has recent
changes that might determine when warnings are displayed for this in
the context of nonempty directories.

Otherwise the postrm should do
f=/var/run/avahi-daemon
rmdir "$f" || { chown root:root "$f" && chmod 00700 $f; }